Archive

Ransomware steals email addresses and passwords; spreads to contacts.

Recently a lot of users in Russian-speaking countries received emails similar to the message below. It says that some changes in an “agreement’ were made and the victim needs to check them before signing the document.

The message has a zip file in an attachment, which contains a downloader in Javascript. The attachment contains a simple downloader which downloads several files to %TEMP% and executes one of them.
The files have .btc attachment, but they are regular executable files.

After downloading all the available tools, it opens a document with the supposed document to review and sign. However, the document contains nonsense characters and a message in English which says, “THIS DOCUMENT WAS CREATED IN NEWER VERSION OF MICROSOFT WORD”.

Let us present the long-term analysis of malware which was designed to steal credentials from more than 25 largest banking and payment systems in Brazil. The unique features of this banking malware include the usage of valid digital certificates, 3 years of evolution and stealing credentials from e-commerce admin pages. This feature opens doors for attackers, who can then log in to e-commerce systems and steal information about customers and their payments.

This malware family combines all of these powerful functionalities and serves as a comprehensive tool for stealing money and sensitive personal data with dangerous efficiency.

Recently we encountered a very suspicious piece of code on some Joomla-powered webpages. The code looks as if garbled and without any special meaning, and starts like this:

Upon closer observation, several strange things are to be noted. First, there are no alphanumerical symbols to be seen in any part of the code. Second, on the line before this code starts, there is actually an HTML tag indicating a start of Javascript code (<script>), preceded by 37 tabs. Therefore, when opening an infected file in a text editor, one cannot normally see the starting tag, because it is shifted all the way to the right. To be able to see it, you either have to horizontal scroll, or have word wrap on. The same trick is performed with the script closing tag as well. Why would anyone try to hide these tags? The answer is simple, to trick people into thinking this is not actually a Javascript code.

The latest version of Android 4.2, code-named “Jelly Bean” has been released some time ago. While being just an incremental update to the major 4.0 release “Ice Cream Sandwich”, Google introduced some major new features within that update. While offering multi-user support and improved notifications, a new feature which is being promoted heavily, is the built-in app scanner which should protect Android devices from being infected by malware.

The client side app scanner of Android 4.2 is the next step in Google’s attempts to protect their Android ecosystem from malware threats, after introducing Bouncer, a server-side malware scanner used by Google to analyze apps that are being uploaded to Google Play Store. Bouncer was announced in February 2012 and is Google’s approach to prevent malware from being uploaded to the Google Play store as a first line of defense.

Now, some authors claim that third party mobile security tools are most likely not needed anymore, because Google now already pre-checks all mobile apps. I’ve been closely monitoring all those changes and improvements because I wanted to make my own mind on how successful these attempts by Google would be and to find out how our Android antivirus scanner delivered within our free avast! Mobile Security suite (http://www.avast.com/free-mobile-security) would stack up to what the operating system vendor itself would be able to provide.

Since months before the release of avast! Mobile Security in December 2011, our virus lab was working on setting up the initial state of our Android malware database. The database contains signatures of all the malicious files our virus lab guys find over time and is being extended day-by-day to contain definitions of the newest threats in real-time. Currently, tens of millions of Android devices owned by our users download those definitions every day to their avast! client side scanners. So I just went to our virus lab and asked the guys there to provide me with some statistics on the growth of our Android malware database.

As I already stated, Bouncer was thought to be the first line of defense, and tries to protect the main source of app downloads from malicious offerings. Could it be that as a result of introducing Bouncer, our malware database stopped growing or started to decline in size when Bouncer was introduced? Has Google been successful? See for yourself:

Android Malware Database History (Click to enlarge)

Obviously, since February 2012, our Android malware growth has not started to decline; it has not even stalled its growth, but has been continuously growing since that point in time. Read more…

While we were researching the websites currently serving the new Microsoft Internet Explorer (IE) zero-day threat, we found that the new attack is being piggybacked on a slightly older attack aimed on industrial companies’ websites.

The hacked legitimate websites contain on their main pages a hidden iframe.

It was brought to our attention by this thorough Eric Romang article that a new zero-day exploit (an exploit actively used by cybercriminals in the wild) targets a bug in Microsoft’s Internet Explorer (IE) 7 & 8, and with some help from Java, it could be also exploited on IE 9, as confirmed by the Metasploit firm. At this time, as there is yet no patch from Microsoft, what can you do?

Inaccurate spelling means more than poor marks at school, it is a billion dollar business opportunity for typosquatters. At a single IP address, the AVAST Virus Lab has identified 8,600 typosquatting sites, registered variations of well-known sites or brands. Two identifiable targets were the Craig’s List online classified ad service and YouTube, other site addresses were parodies of Hotmail, Google, and YouTube – basically everyone.

After going to one of the identified typosquatting sites, visitors are redirected to one of several hundred “quiz” sites where they receive an offer of a “free” prize such as an iPhone. The sites typically make money through premium phone calls, selling advertisements, and reselling the emails collected from visitors.

Spelling errors are a huge moneymaker on the internet. A Harvard research paper[1] estimated that a major search engine alone could be making nearly a half billion dollars annually just on pay-per-click ads from typosquatting sites. Add in the other search engines and the revenue from the sites identified by AVAST, and typosquatting could easily be a billion dollar market.

“It is not technically malware, but it is online fraud and features like AutoCorrect in Microsoft Word have really let people get lazy with their spelling,” pointed out Jindrich Kubec, head of the AVAST Virus Lab. “The popularity of Craigslist with this one gang gives us a great sample set to demonstrate the types of spelling errors the bad guys are looking for.” Read more…

Not everyone appreciates an avast! warning. Some IT professionals find it hard to believe that an infection has taken place on the computers and the networks under their supervision.

“In today’s update you have included their website as being infected and harmful,” complained one web developer in an email to AVAST Software. “For the last month, it has been a brand new site. I have scanned the site with several online website scanners and they all come up clean.”

AVAST Software sends out a lot of warnings to users. During January of 2012, we recorded 1.87 billion incidents of our users encountering malware.

In this specific case, the company owners had avast! on their own computers and they were getting warnings that their site was infected. Even worse, because their avast! was blocking them from accessing their own site, they realized potential customers were also getting shut out – costing them money.

While online scans from two other security suppliers did not detect anything, Jiri Sejtko at the AVAST Virus Lab did. Read more…

The Duqu malware has raised the specter of Stuxnet II, with some in the security community claiming that this new Trojan is a reverse-engineered copy of Stuxnet – the infamous malware that may have sold more newspapers than it damaged nuclear centrifuges. Unlike Stuxnet, Duqu is designed to steal data from the targeted organization, not just destroy equipment. First noticed this summer, Duqu self-destructed after 30 days, than vanished again into cyberspace.Read more…

I’m 38 years old, lived my first 33 years in the USA, read and studied amply about US government agencies over the years (especially during my ultra-paranoid conspiracy theory phase in my early 20s), and yet, until today, I had never heard of DARPA.

According to Wikipedia, however, the agency has been around a while — longer than me, in fact: << Its original name was simply Advanced Research Projects Agency (ARPA), but it was renamed to “DARPA” (for Defense) in March 1972, then renamed “ARPA” again in February 1993, and then renamed “DARPA” again in March 1996. >>

It sounds like an agency with multiple personality disorder, but I guess it’s essentially a branch of the Department of Defense (DoD) that focuses on technological R&D.

Why am I telling you about it? Because I know a lot of readers of this blog are sharp-minded (maybe even genius-level) non-Luddites, who can actually understand what the guys in our Virus Lab talk about when they post here… and would jump at the chance to prove their skills (and win some money in the process). Read more…